Closed dgdevops closed 3 years ago
chatton
commented
3 years ago Hi @dgdevops, in order for horizons to be configured correctly, TLS must be enabled. Are you currently working on migrating an existing non-tls deployment to use horizons? If this is the case, you would need to configure your deployment to either preferTLS or requireTLS before transitioning to using horizons.
dgdevops
commented
3 years ago Hello @chatton, My plan is to migrate from VM mongo to Kubernetes by extending the existing VM replicaset with the Kubernetes members. However, if the requireTLS is enabled then the then the VM mongos won't be able to connect to the Kubernetes ones. Overall, having the TLS enabled makes sense when the replicasetHorizon is in use, however I believe preferSSL would come handy in the above mentioned situation. Additionally the VM & Kubernetes mongos are all in the internal network (with internally resolvable domain names) so preferSSL would also be reasonable in that case. Is there a way to make the TLS mode configurable?
chatton
commented
3 years ago Hi @dgdevops, the requireTLS setting a requirement for the horizons feature to work. We recently added some in-depth details about configuring things, please take a look if you haven't already https://github.com/mongodb/mongodb-kubernetes-operator/blob/1b5925c18368e5015efc32a00cf3f9680ca8a32c/docs/external_access.md
I'm closing this issue as it is not possible to configure preferTLS with horizons.
dgdevops
commented
3 years ago Hello @chatton, I am familiar with the requirements of the ReplicaSetHorizons feature & I did look into the external access documentation previously. The point of this issue was more to discuss if there is/will be a way to make the TLS mode configurable to ease the migration in the scenario I described above. What is the common practice in these cases?
dgdevops
commented
3 years ago Hello @chatton , @priyolahiri , I did a few tests previous week and made an attempt to connect an existing VM mongo replicaset to a Kubernetes replicaset by adding one of the Kubernetes members as a new member in the VM replicaset, however the Kubernetes member was marked as unhealthy. My suspicion is that it could be related to the requireTLS setting that does not allow members that have TLS disabled to cluster with members that explicitly run in requireTLS mode. Going further with the migration plans the applications that connect to the VM mongo replicaset do not support TLS so even if the data is migrated to the Kubernetes replicaset due to the requireTLS mode there is no room for proper migration without bringing the applications down which is not an option especially in a production environment. Are there any plans to prepare the Operator for such scenarios?
Hi,
First of all, this issue was raised more to get more insights about the TLS requirements of the ReplicaSetHorizons feature then to report a bug. When the ReplicaSetHorizons feature is enabled the net.tls.mode is set automatically to requireTLS. Are there any plans to make the mode configurable? Having the mode set to preferTLS would be a great benefit when it comes to migration.
Thanks